fix: more login/session issues addressed

public/api/auth/index.ts

@@ -6,12 +6,14 @@ import { SESSION, SESSIONS } from '../../../models/session.ts';
 import { TOTP_ENTRIES } from '../../../models/totp_entry.ts';
 import { encodeBase64 } from 'jsr:@std/encoding/base64';
 import parse_body from '../../../utils/bodyparser.ts';
-import { SESSION_ID_TOKEN, SESSION_SECRET_TOKEN } from '../../../utils/prechecks.ts';
+import { get_session, get_user, PRECHECK_TABLE, require_user, SESSION_ID_TOKEN, SESSION_SECRET_TOKEN } from '../../../utils/prechecks.ts';
 import * as bcrypt from 'jsr:@da/bcrypt';
 import { verifyTotp } from '../../../utils/totp.ts';
 
 const DEFAULT_SESSION_TIME: number = 60 * 60 * 1_000; // 1 Hour
 
+export const PRECHECKS: PRECHECK_TABLE = {};
+
 // POST /api/auth - Authenticate
 export async function POST(req: Request, meta: Record<string, any>): Promise<Response> {
 	try {
@@ -158,6 +160,28 @@ export type SESSION_INFO = {
 	expires: string | undefined;
 };
 
+// DELETE /api/auth - log out (delete session)
+PRECHECKS.DELETE = [get_session, get_user, require_user];
+const back_then = new Date(0).toISOString();
+export async function DELETE(_request: Request, meta: Record<string, any>): Promise<Response> {
+	await SESSIONS.delete(meta.session);
+
+	const headers = new Headers();
+
+	headers.append('Set-Cookie', `${SESSION_ID_TOKEN}=; Path=/; Expires=${back_then}`);
+
+	// TODO: this wasn't really intended to be persisted in a cookie, but we are using it to
+	// generate the TOTP for the call to /api/users/me
+	headers.append('Set-Cookie', `${SESSION_SECRET_TOKEN}=; Path=/; Expires=${back_then}`);
+
+	return Response.json({
+		deleted: true
+	}, {
+		status: 200,
+		headers
+	});
+}
+
 const session_secret_buffer = new Uint8Array(20);
 export async function create_new_session(session_settings: SESSION_INFO): Promise<SESSION_RESULT> {
 	const now = new Date().toISOString();